Evidence Types
Mahmood is examining a device for digital evidence. There are two types of evidence he is looking for. Which type of evidence will prove that his client is not guilty?
a. Inculpatory evidence
b. Exculpatory evidence
c. Miaculpatory evidence
d. Discretionary evidence
b. Exculpatory evidence
Thanks to the dark web, anybody can access computer programs that will help users exfiltrate (remove) data from any type of computer or network. Because of this activity, white-collar crime and industrial espionage are on the rise. How does white-collar-crime compare to industrial espionage?
a. White-collar crime refers to financial crimes committed in a business or professional setting, while espionage refers to the unauthorized sharing of confidential information to a competitor or foreign entity.
b. Espionage refers to financial crimes committed in a business or professional setting, while white collar crime refers to the unauthorized sharing of confidential information to a competitor or foreign entity.
c. White-collar crime is the same as espionage and are both punishable offenses.
d. White-collar crime and espionage are victimless crimes.
a. White-collar crime refers to financial crimes committed in a business or professional setting, while espionage refers to the unauthorized sharing of confidential information to a competitor or foreign entity.
When conducting a computer investigation for potential criminal violations of the law, the legal processes you follow depend on local customs, legislative standards, and rules of evidence. In general, however, a criminal case follows three stages. What are those three stages?
a. Complaint, the investigation, and the prosecution
b. Complaint, discovery, and the trial
c. Complaint, service of process, and motions
d. Complaint, answer, discovery, and trial
a. Complaint, the investigation, and the prosecution
Kevin is about to begin an examination of a hard drive. Out of all the tools available to him, which one is the most important to keep the OS from writing data to the hard drive?
a. SCSI card
b. Network interface card (NIC)
c. Write-blocker
d. Target drive
c. Write-blocker
Hector is validating digital evidence using a hashing algorithm utility that creates a binary or hexadecimal number that represents the uniqueness of the data set. Because it is unique, a binary or hexadecimal number is often referred to as a "digital fingerprint."
a. True
b. False
True
Lucy needs to make a forensic initial assessment about a case she is investigating. What are some of the steps she needs to take for the assessment?
a. Has law enforcement apprehended a suspect?
b. Have law enforcement or company security officers already seized the computer, disks, peripherals, and other components?
c. Was a computer or a laptop found?
d. Is the president of the company available?
b. Have law enforcement or company security officers already seized the computer, disks, peripherals, and other components?
Allen works for a small newspaper. There is no corporate security investigations group, no written or verbal acceptable use policy, and the publisher (owner) owns the rights to all the computer hardware and software. One day, the publisher calls him into the office and asks him to help them with an email problem. Upon fixing the problem Allen discovers that there are illicit photos (no one was underage) on the publisher's laptop. The publisher later asks Allen to sanitize the laptop because the publisher wants to give it to their grandson. Allen must go through the laptop to find all the photos. What can Allen do to stop this work behavior?
a. Report the publisher to Human Resources
b. File a hostile work environment claim
c. Sanitize the laptop and do nothing else
d. Refuse to do the job
b. File a hostile work environment claim
Daubert v. Merrell Dow Pharmaceuticals rules that the "testimony must be based off facts or data, whereas using Frye v. United States rules, the "testimony" must be based on generally accepted principles in the field in which it belongs.
a. True
b. False
a. True
Dakarai has many legacy operating systems on his forensic workstation as well as the newest OSs, but he has only the most up-to-date software on his day-to-day workstation. Why does Dakarai need legacy operating systems?
a. It's not taking up much space on his forensic station, so why bother?
b. It's cheaper to keep the older software around.
c. Dakarai hasn't gotten around to getting rid of the old software yet.
d. Older computer systems may not be compatible with modern software.
d. Older computer systems may not be compatible with modern software.
Rivka is building a forensic workstation and needs to buy some hardware to get started. What are some of the types of hardware she will need to buy? (2)
a. A workstation running Windows 7
b. A write-blocker device, spare PATA and SATA ports
c. Network interface card (NIC)
d. Graphics card
b. A write-blocker device, spare PATA and SATA ports
c. Network interface card (NIC)
Joe has been tasked with investigating an incident at Zander Corp. What is the first rule he must follow that is important for all investigations, no matter how big or small?
a. Categorizing the evidence
b. Stabilizing the evidence
c. Preserve the evidence
d. Detain the evidence
c. Preserve the evidence
What are the main differences between public-sector investigations and private-sector investigations? (2)
a. Private-sector investigations involve government agencies responsible for criminal investigations and prosecution. Public-sector investigations focus more on policy violations.
b. Private-sector investigations can become criminal investigations and public-sector investigations can become civil investigation depending upon the circumstances.
c. Public-sector investigations involve government agencies responsible for criminal investigations and prosecution. Private-sector investigations focus more on policy violations.
d. The private sector can ignore criminal investigations, and the public sector can ignore civil investigations.
b. Private-sector investigations can become criminal investigations and public-sector investigations can become civil investigation depending upon the circumstances.
c. Public-sector investigations involve government agencies responsible for criminal investigations and prosecution. Private-sector investigations focus more on policy violations.
Samantha is about to be questioned for the first time about her qualifications as an expert witness. She hears the attorney she works for calling it voir dire. Samantha wants to know what "voir dire" means. What does Samantha's attorney tell her the translation means?
a. To see, to say
b. To hear, to look
c. To be or not to be
d. To say, to see
a. To see, to say
Kailani is about to take possession of a Windows 2000 computer for forensic investigation. Why must Kailani use older forensic tools for this Windows 2000 computer?
a. Windows 2000 is too advanced
b. Windows 2000 is a legacy system
c. Windows 2000 is no longer used in production networks
d. Windows 2000 no longer works
b. Windows 2000 is a legacy system
Gabriela is setting up a workstation specifically to crack passwords. To crack passwords quickly, Gabriela needs to pick a workstation where she can install multiple graphics processing units (GPUs).
a. True
b. False
True
Jennifer is about to take over a computer crime case at Amcore lab. Before she begins, must verify that the chain of custody has not been broken. She discovers that the seal on the container on the suspect's hard drive has been broken and there is no signature on the sign out sheet that someone took the hard drive for analysis. How does this affect the chain of custody?
a. It does nothing to the chain of custody.
b. It only affects authenticity.
c. It breaks the chain of custody.
d. The custody of the data's journey is now refutable but can still be admissible.
c. It breaks the chain of custody.
You're the head of the executive management committee and as part of your corporate governance duties you must implement a policy to define and limit who has authorization to request a computer investigation and forensics analysis (authorized requestor). Which group or groups should have the authority to request a computer investigation? (2)
a. The human resources department
b. The corporate ethics office
c. The general counsel or legal department
d. The accounting department
b. The corporate ethics office
c. The general counsel or legal department
Adel is going to a new district court for the first time. He is scheduled to testify as an expert witness in the case. He needs a plan in place to learn about the judge, jury pool, and other attorneys in the case, so he can determine the average knowledge, skill, and general attitude toward computers. What should he do? (2)
a. Sit outside a few courtrooms and listen to the way people talk.
b. Make an educated guess.
c. He should check with his attorney and local attorneys.
d. Find out the potential jury pool's average educational level.
c. He should check with his attorney and local attorneys.
d. Find out the potential jury pool's average educational level.
Akikta has been given a Windows 10 computer that needs to be investigated. Mostly, he will be recovering deleted files, and checking unallocated space on the hard drive. What are some software Akikta may want to use? (2)
a. FTK Imager, X-Ways Forensics, and dd
b. EnCase, FTK, and Autopsy
c. Photorec and Scalpel
d. md5sum and sha256sum
b. EnCase, FTK, and Autopsy
c. Photorec and Scalpel
Tehya is preparing for a Digital Forensics acquisition. Preparation is key to reducing potential failure. What are some of the key elements Tehya must consider before initiating her acquisition? (2)
a. Is the source drive accessible or is it still in the suspect's computer?
b. Will Tehya be able to retain the source drive, or will it need to be returned to the owner?
c. Has the source drive been compromised by being misplaced?
d. Has the original source drive been destroyed?
a. Is the source drive accessible or is it still in the suspect's computer?
b. Will Tehya be able to retain the source drive, or will it need to be returned to the owner?
During an investigation, Jerry discovers that there were no matches between the network server logs and the forensic examination showing no contributing evidence that a crime was committed. What does this mean for the investigation?
a. The allegations were unsubstantiated and there was no misconduct
b. The allegations were substantiated and there was misconduct
c. There were no allegations, just conjecture
d. It was all a misunderstanding
a. The allegations were unsubstantiated and there was no misconduct
As head of Zenon's corporate IT department, Naya is tasked with analyzing the corporate mobile device policy. She needs to decide which is better, company owned mobile devices or BYOD? As a member of the corporate security team, Naya asks you for advice on which you think will be more appropriate. When you examine all options, which environment do you think works best for Zenon? (2)
a. With company owned devices, it falls on the employee to keep them updated.
b. With company owned devices, all apps, files, and email can be secured.
c. With BYOD employees own the devices so companies are not liable if anything happens to the device.
d. With BYOD, the employee buys the device, and the company can lock it down (mobile device management).
b. With company owned devices, all apps, files, and email can be secured.
c. With BYOD employees own the devices so companies are not liable if anything happens to the device.
Amelia is about to begin work on a new forensic examination. As she is preparing to process the evidence, the one thing that she must always keep in mind is to keep her opinions to a minimum. Why is it important for Amelia to keep her opinions to a minimum during an examination? (2)
a. Amelia must keep her opinions to a minimum to maintain her experience.
b. Amelia must keep her opinions to a minimum to maintain her composure.
c. Amelia must keep her opinions to a minimum to maintain her impartiality.
d. Amelia must keep her opinions to a minimum to maintain her credibility.
c. Amelia must keep her opinions to a minimum to maintain her impartiality.
d. Amelia must keep her opinions to a minimum to maintain her credibility.
Ha-Yoon must do a risk assessment for a client. The client has an employee who does not know computers very well but has recently been taking classes on computer hacking. He has been spending more time on his computer and less time working. Recently their network has seen more traffic and attempted breaches than usual. There is no acceptable use policy in place. What should Ha-Yoon recommend first to mitigate the risk to the client's network? (2)
a. Have the employer create an acceptable use policy and implement it.
b. Fire the employee
c. Remove the employee's computer
d. Replace the employee's computer, give them standard access, and isolate them from any network assets
a. Have the employer create an acceptable use policy and implement it.
d. Replace the employee's computer, give them standard access, and isolate them from any network assets
José manages a busy lab where the equipment runs 24/7. For this reason, he needs to schedule periodic equipment replacement. How often should José replace his equipment when it's under heavy usage?
a. 12 months
b. 18 months
c. 24 months
d. 36 months
b. 18 months